Naushad Kasu

RSA NetWitness Log & Network Parser Meta Mapping

Blog Post created by Naushad Kasu Employee on Apr 3, 2019

Often times, Administrators and Content Managers alike need more information regarding their current parser status (both Logs and Network [formerly Packets]). There is an older, fancier interface for Log parser meta keys located here:

The script in this blog post is a bit more real-time and allows you to gain some additional visibility into your meta keys.




Please ensure you have run the on your SA Server (10.x) or NW Server / Node0 (v11). The script requires access to downstream services using SCP for the log parsing functionality.




Log Parser -> Meta Key Mapping:
When run in Log mode with a specific parser as a parameter, this will output all of the meta keys used in that parser. It will also output the format and whether that key is "Passed to the Concentrator", that is, if the key has flag set to is Transient (not passed to Concentrator in the session) or None (passed to the Concentrator).


Network Parser -> Meta Key Mapping:
When run in Network mode with IP of the Network Decoder, will output all of the Enabled parsers with its respective keys.

White = Enabled
Yellow = Transient
Red = Disabled




To run in Log mode:
Example: ./ -l <PARSER NAME> -i <LOG DECODER IP>
Example: ./ -l rhlinux -i


To run in Network mode:
Example: ./ -n -i <NETWORK DECODER IP>
Example: ./ -n -i

Sample Output


Log Parser -> Meta Key Mapping


Network Parser -> Meta Key Mapping